I recommend reviewing the ISS X-Force presentation titled, "Advanced Software Vulnerability Assessment", presented at last year's Black Hat Briefings in Las Vegas. The presentation outlines some of the techniques that the X-Force team uses to uncover vulnerabilities in source code. In the presentation, we covered the fact that the automated tools used to uncover flaws aren't good for finding anything besides the most trivial vulnerabilities. Presentation details and PowerPoint: http://www.blackhat.com/html/bh-usa-02/bh-usa-02-speakers.html#Dowd Presentation video: rtsp://media-1.datamerica.com/blackhat/bh-usa-02/video/BH-USA-02-DOWD-HE RATH-MEHTA-FLAKE.rm Regards, =============================== Dan Ingevaldson Engineering Manager, X-Force R&D dsiat_private 404-236-3160 Internet Security Systems, Inc. The Power to Protect http://www.iss.net =============================== -----Original Message----- From: Nicole Nicholson [mailto:nanicholsonat_private] Sent: Wednesday, June 11, 2003 9:42 AM To: dwarkeeperat_private Cc: vuln-devat_private Subject: Re: Research on Source Code Review -C Dwar- I don't know if you have looked at any of these sites. They actually contain tools & publications for source code analysis and review. You may be able to use some of their literature and/or documentation to develop a set of guidelines. http://www.cenzic.com/ http://www.cigital.com/ http://www.dwheeler.com/flawfinder/ http://www.securesoftware.com/ Cheers. -Nicole <snip> Am looking to develop source code review guidelines for code written in c/c++. I have found a few documents on the net but nothing that could be really followed along to do source code review. I also wanted to know what people in the field are actually doing and also if they could provide first hand experience as to what all they look for and how. _________________________________________________________________ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
This archive was generated by hypermail 2b30 : Thu Jun 12 2003 - 12:12:46 PDT